Cyber attacks are increasingly sophisticated and discrete. Nation states and cybercriminal organizations frequently bankroll and mastermind these attacks with the aim of financial or political gain. If attackers have high-powered backing behind them, shouldn’t defenders as well? Isn’t it time that organizations’ top leaders are actively engaged in defense? Granted, the vast majority of enterprises have an executive with direct responsibility for security. But for modern businesses, security leadership needs to ascend even higher in the organization: to the boardroom.
Recent, massive data breaches involving well-known companies, more legislation and regulation related to data security, geopolitical dynamics, and shareholder expectations are all factors making cybersecurity an agenda item in the boardroom. A report by the Information Systems Audit and Control Association (ISACA) revealed that 55 percent of corporate directors now have to personally understand and manage cybersecurity as a risk area. The latest cybersecurity initiatives from the White House that include proposals related to security liability will likely push this number even higher. For example, discussions on the size of the burden, where it should be placed, and how to encourage the sharing of information to strengthen defenses for all, should command the attention of more corporate directors.
Given that in the modern economy every company runs on IT, an increased focus on cyber risk at the board level is a positive development, but one that is long overdue. Security is the business of every person in the organization, from the chief executive to the newest hire, and not just personnel with “security” in their title or job description. Everyone should be accountable, and learn how to avoid becoming a victim.
A core component of the future of cybersecurity will be greater engagement by the board. Corporate boards of directors across industries need to know what the cybersecurity risks to the business are and their potential impact.
To truly understand the scope of cybersecurity issues that affect the organization, we will likely see a rise in the number of CIOs and even CISOs on corporate boards. The phenomenon of external factors influencing board makeup isn’t new. In the previous decade, we saw a dramatic increase in the number of CFOs serving on corporate boards as a direct result of the global financial crisis and an increasingly complex regulatory environment. Research by Ernst & Young found that in 2002, 36 percent of CFOs from the world’s largest companies held board level roles. Ten years later, the number had risen to nearly half.
With members that bring technology and cybersecurity expertise, boards can start getting answers to tough questions about security controls: What controls do we have in place? How well have they been tested? Do we have a reporting process? How quickly can we detect and remediate the inevitable compromise? And perhaps, the most important question: What else should we know?
Even if they don’t currently hold a board seat, CIOs and CISOs need to be prepared to answer these questions from the board, and in terms that are meaningful to board members and outline business implications. They must be equally comfortable speaking about business strategy as they are about technology and security strategy. New business models such as direct to consumer, expansion into new channels and regions, and shifting supply chains can create significant business opportunities but also potential risk. Addressing how technology and security must align to support these models with budgetary concerns and risk management top of mind is critical.
Technology and security leaders must also possess knowledge of regulatory requirements and standards to help the board navigate and comply with new mandates. Insights into industry and technology trends, as well as strategies and experiences of similar organizations help provide board members with a frame of reference to evaluate current security postures and validate controls.
How to communicate is important as well. Every message should be delivered clearly, briefly, and with minimal technical jargon. For example, it’s expected that CIOs and CISOs understand threats and how the most recent attacks were successful. But translating the impact of those attacks into relevant business terms such as lost revenue, productivity, or profitability will help ensure the consequences are understood. Graphical tools like executive dashboards can also help focus discussions on metrics that are most relevant to the business.
Cybersecurity as a boardroom topic is not only a good thing, it is necessary. As defenders it gives us an opportunity to better educate the highest levels of leadership on the cybersecurity issues facing the business. With that knowledge, boards are equipped to make more informed security and risk management decisions and, together, we can better protect valuable assets while achieving business goals.